Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/15/2015
05:30 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

3 Keys For More Effective Security Spend

New study models security costs to show how variables can affect the risk to ROI equation over time.

Security teams could get a whole lot more bang for their buck if CISOs spent their budgets more strategically.  A recent study by RAND Corporation sponsored by Juniper Networks pinpointed a number of areas that IT security can adjust to reduce the overall cost of managing risk in the enterprise.

Based on months of research and interviews of CISOs at over 1,000 organizations by RAND experts, the report lays out a framework that it claims is the first of its kind to chart the holistic costs of managing risk, factoring in not just the cost and probability of potential breaches and incidents, but also costs of defense.

The framework is based on 27 variables that RAND researchers could quantitatively prove influence the cost to an organization across a 10-year period. These include things like organizational characteristics, security program decisions and investments, as well as changes in the technology ecosystem.

According to RAND researchers, costs across the next decade are on track to rise 38 percent over the next decade for most organizations. If organizations can tweak their spending in critical areas, they may well be able to reduce that rate considerably.

"The security industry has struggled to understand the dynamics that influence the true cost of security risks to business," says Sherry Ryan, chief information security officer for Juniper. "What’s clear is that in order for organizations to turn the table on attackers, they need to orient their thinking and investments toward managing risks in addition to threats.”

One consideration that organizations particularly need to be mindful of is one-to-one cost transference from risk to cost of defense. At the moment, one-third of reduced losses from mitigated risks is offset by increased costs of tools used to carry this out, both in acquisition of the tool, as well as an "Implicit reduction in the value of networking," according to the report.

Clearly, some variables can produce better cost avoidance results than others. Within the study, some key highlights bubbled to the surface. The following are three of the top findings that should impact the way organizations decide to allocate their security spend.

 

Software Vulns are Expensive

Make no bones about it, software flaws are expensive. When they developed the heuristic model of cyber security, RAND researchers found that when organizations are able to reduce the frequency of software vulnerabilities in half, they can cut the overall cost of cybersecurity by a whopping 25 percent.

"There need to be better mechanisms to convey the interests that organizations have in the quality of code to those responsible for getting the code into products," RAND's researchers wrote.

 

Beware the Half Life

According to RAND researchers, the cat-and-mouse game between security researchers and advanced attackers yields a sort of half-life of effectiveness for many types of detection-based security technology. Research showed that technologies that depended on things like anomaly detection, signature detection, and sandboxing tend to show effectiveness decreases of 65 percent over the course of a decade due to attacker countermeasures designed to circumvent them.

This reduction in effectiveness increases cost by 16.2 percent over the course of a decade.

Researchers explained that technologies focused on improving overall security hygiene and reduced risk exposure tend to be less prone to this half-life phenomenon. This includes things like network access control, firewall policy enforcement, network segregation, and patch management.

"As defenses are installed, organizations must realize they are dealing with a thinking adversary and that measures installed to thwart hackers tend to induce countermeasures as hackers probe for ways around or through new defenses," the report said. "This tit-for-tat exchange will eventually drive measures toward increasing expense, additional complexity, and, arguably, less reliability. Corporations should think about installing measures of the sort that are less likely to attract countermeasures."

 

Invest in Workforce

Meanwhile, the research done in conjunction with the report proves out something security experts have been saying for years—people are a key component in the recipe for security success, right alongside processes and technology. RAND reports that companies with the most effective security staff can cut the cost of cybersecurity by 19 percent in the first year and 28 percent by the 10th year that the model runs.

This shows an interesting dichotomy with the previous point about technological half-life, as RAND shows that even as hardware value decreases, good security analysts get better over time.

"With more cybersecurity employees, organizations can be more proactive in identifying potential incidents by putting people to work on log and event tracking, as well as on developing strategy and architecture for future systems," RAND's researchers said.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ulf Mattsson
50%
50%
Ulf Mattsson,
User Rank: Moderator
6/16/2015 | 1:51:50 PM
Attacker countermeasures
I agree that " technologies that depended on things like anomaly detection, signature detection, and sandboxing tend to show effectiveness decreases of 65 percent over the course of a decade due to attacker countermeasures designed to circumvent them."

Less than 14% of breaches are detected by internal security tools according to the annual international breach investigations report from Verizon. Detection by external third party entities unfortunately increased from approximately 10% to 25% during the last three years. Unfortunately, current security approaches can't tell you what normal looks like in your own systems.

I think that we need to focus on protecting our sensitive data itself.

I found great advice in a Gartner report, covering enterprise and cloud, analyzed solutions for Data Protection and Data Access Governance and the title of the report is "Market Guide for Data–Centric Audit and Protection."  I recently read another interesting Gartner report, "Big Data Needs a Data-Centric Security Focus," concluding," In order to avoid security chaos, Chief Information Security Officers (CISOs) need to approach big data through a data-centric approach. Gartner is proposing data tokenization as an effective approach to security sensitive data.

I suggest that we should secure sensitive data across the entire data flow, including cloud, big data and enterprise systems. This approach can be very effective in addressing attacks against data, also from insider threats.

Ulf Mattsson, CTO Protegrity
bulgarian
50%
50%
bulgarian,
User Rank: Apprentice
6/16/2015 | 6:16:56 AM
Appreciating
Security has been a critical issue these days.thanks for sharing such a valuable content waiting for more from you
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11583
PUBLISHED: 2020-08-03
A GET-based XSS reflected vulnerability in Plesk Obsidian 18.0.17 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter.
CVE-2020-11584
PUBLISHED: 2020-08-03
A GET-based XSS reflected vulnerability in Plesk Onyx 17.8.11 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter.
CVE-2020-5770
PUBLISHED: 2020-08-03
Cross-site request forgery in Teltonika firmware TRB2_R_00.02.04.01 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.
CVE-2020-5771
PUBLISHED: 2020-08-03
Improper Input Validation in Teltonika firmware TRB2_R_00.02.04.01 allows a remote, authenticated attacker to gain root privileges by uploading a malicious backup archive.
CVE-2020-5772
PUBLISHED: 2020-08-03
Improper Input Validation in Teltonika firmware TRB2_R_00.02.04.01 allows a remote, authenticated attacker to gain root privileges by uploading a malicious package file.